From: Edgecombe, Rick P > Sent: 04 February 2022 01:08 > Hi Thomas, > > Thanks for feedback on the plan. > > On Thu, 2022-02-03 at 22:07 +0100, Thomas Gleixner wrote: > > > Until now, the enabling effort was trying to support both Shadow > > > Stack and IBT. > > > This history will focus on a few areas of the shadow stack > > > development history > > > that I thought stood out. > > > > > > Signals > > > ------- > > > Originally signals placed the location of the shadow stack > > > restore > > > token inside the saved state on the stack. This was > > > problematic from a > > > past ABI promises perspective. So the restore location was > > > instead just > > > assumed from the shadow stack pointer. This works because in > > > normal > > > allowed cases of calling sigreturn, the shadow stack pointer > > > should be > > > right at the restore token at that time. There is no > > > alternate shadow > > > stack support. If an alt shadow stack is added later we > > > would > > > need to > > > > So how is that going to work? altstack is not an esoteric corner > > case. > > My understanding is that the main usages for the signal stack were > handling stack overflows and corruption. Since the shadow stack only > contains return addresses rather than large stack allocations, and is > not generally writable or pivotable, I thought there was a good > possibility an alt shadow stack would not end up being especially > useful. Does it seem like reasonable guesswork? The other 'problem' is that it is valid to longjump out of a signal handler. These days you have to use siglongjmp() not longjmp() but it is still used. It is probably also valid to use siglongjmp() to jump from a nested signal handler into the outer handler. Given both signal handlers can have their own stack, there can be three stacks involved. I think the shadow stack pointer has to be in ucontext - which also means the application can change it before returning from a signal. In much the same way as all the segment registers can be changed leading to all the nasty bugs when the final 'return to user' code traps in kernel when loading invalid segment registers or executing iret. Hmmm... do shadow stacks mean that longjmp() has to be a system call? David - Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1PT, UK Registration No: 1397386 (Wales)
On Sat, Feb 5, 2022 at 5:27 AM David Laight <David.Laight@aculab.com> wrote: > > From: Edgecombe, Rick P > > Sent: 04 February 2022 01:08 > > Hi Thomas, > > > > Thanks for feedback on the plan. > > > > On Thu, 2022-02-03 at 22:07 +0100, Thomas Gleixner wrote: > > > > Until now, the enabling effort was trying to support both Shadow > > > > Stack and IBT. > > > > This history will focus on a few areas of the shadow stack > > > > development history > > > > that I thought stood out. > > > > > > > > Signals > > > > ------- > > > > Originally signals placed the location of the shadow stack > > > > restore > > > > token inside the saved state on the stack. This was > > > > problematic from a > > > > past ABI promises perspective. So the restore location was > > > > instead just > > > > assumed from the shadow stack pointer. This works because in > > > > normal > > > > allowed cases of calling sigreturn, the shadow stack pointer > > > > should be > > > > right at the restore token at that time. There is no > > > > alternate shadow > > > > stack support. If an alt shadow stack is added later we > > > > would > > > > need to > > > > > > So how is that going to work? altstack is not an esoteric corner > > > case. > > > > My understanding is that the main usages for the signal stack were > > handling stack overflows and corruption. Since the shadow stack only > > contains return addresses rather than large stack allocations, and is > > not generally writable or pivotable, I thought there was a good > > possibility an alt shadow stack would not end up being especially > > useful. Does it seem like reasonable guesswork? > > The other 'problem' is that it is valid to longjump out of a signal handler. > These days you have to use siglongjmp() not longjmp() but it is still used. > > It is probably also valid to use siglongjmp() to jump from a nested > signal handler into the outer handler. > Given both signal handlers can have their own stack, there can be three > stacks involved. > > I think the shadow stack pointer has to be in ucontext - which also > means the application can change it before returning from a signal. > In much the same way as all the segment registers can be changed > leading to all the nasty bugs when the final 'return to user' code > traps in kernel when loading invalid segment registers or executing iret. > > Hmmm... do shadow stacks mean that longjmp() has to be a system call? No. setjmp/longjmp save and restore shadow stack pointer. -- H.J.
On Sat, 2022-02-05 at 05:29 -0800, H.J. Lu wrote: > On Sat, Feb 5, 2022 at 5:27 AM David Laight <David.Laight@aculab.com> > wrote: > > > > From: Edgecombe, Rick P > > > Sent: 04 February 2022 01:08 > > > Hi Thomas, > > > > > > Thanks for feedback on the plan. > > > > > > On Thu, 2022-02-03 at 22:07 +0100, Thomas Gleixner wrote: > > > > > Until now, the enabling effort was trying to support both > > > > > Shadow > > > > > Stack and IBT. > > > > > This history will focus on a few areas of the shadow stack > > > > > development history > > > > > that I thought stood out. > > > > > > > > > > Signals > > > > > ------- > > > > > Originally signals placed the location of the shadow > > > > > stack > > > > > restore > > > > > token inside the saved state on the stack. This was > > > > > problematic from a > > > > > past ABI promises perspective. So the restore location > > > > > was > > > > > instead just > > > > > assumed from the shadow stack pointer. This works > > > > > because in > > > > > normal > > > > > allowed cases of calling sigreturn, the shadow stack > > > > > pointer > > > > > should be > > > > > right at the restore token at that time. There is no > > > > > alternate shadow > > > > > stack support. If an alt shadow stack is added later > > > > > we > > > > > would > > > > > need to > > > > > > > > So how is that going to work? altstack is not an esoteric > > > > corner > > > > case. > > > > > > My understanding is that the main usages for the signal stack > > > were > > > handling stack overflows and corruption. Since the shadow stack > > > only > > > contains return addresses rather than large stack allocations, > > > and is > > > not generally writable or pivotable, I thought there was a good > > > possibility an alt shadow stack would not end up being especially > > > useful. Does it seem like reasonable guesswork? > > > > The other 'problem' is that it is valid to longjump out of a signal > > handler. > > These days you have to use siglongjmp() not longjmp() but it is > > still used. > > > > It is probably also valid to use siglongjmp() to jump from a nested > > signal handler into the outer handler. > > Given both signal handlers can have their own stack, there can be > > three > > stacks involved. So the scenario is? 1. Handle signal 1 2. sigsetjmp() 3. signalstack() 4. Handle signal 2 on alt stack 5. siglongjmp() I'll check that it is covered by the tests, but I think it should work in this series that has no alt shadow stack. I have only done a high level overview of how the shadow stack stuff, that doesn't involve the kernel, works in glibc. Sounds like I'll need to do a deeper dive. > > > > I think the shadow stack pointer has to be in ucontext - which also > > means the application can change it before returning from a signal. Yes we might need to change it to support alt shadow stacks. Can you elaborate why you think it has to be in ucontext? I was thinking of looking at three options for storing the ssp: - Stored in the shadow stack like a token using WRUSS from the kernel. - Stored on the kernel side using a hashmap that maps ucontext or sigframe userspace address to ssp (this is of course similar to storing in ucontext, except that the user can’t change the ssp). - Stored writable in userspace in ucontext. But in this version, without alt shadow stacks, the shadow stack pointer is not stored in ucontext. This causes the limitation that userspace can only call sigreturn when it has returned back to a point where there is a restore token on the shadow stack (which was placed there by the kernel). This doesn’t mean it can’t switch to a different shadow stack or handle a nested signal, but it limits the possibility for calling sigreturn with a totally different sigframe (like CRIU and SROP attacks do). It should hopefully be a helpful, protective limitation for most apps and I'm hoping CRIU can be fixed without removing it. I am not aware of other limitations to signals (besides normal shadow stack enforcement), but I could be missing it. And people's skepticism is making me want to go back over it with more scrutiny. > > In much the same way as all the segment registers can be changed > > leading to all the nasty bugs when the final 'return to user' code > > traps in kernel when loading invalid segment registers or executing > > iret. I don't think this is as difficult to avoid because userspace ssp has its own register that should not be accessed at that point, but I have not given this aspect enough analysis. Thanks for bringing it up. > > > > Hmmm... do shadow stacks mean that longjmp() has to be a system > > call? > > No. setjmp/longjmp save and restore shadow stack pointer. > It sounds like it would help to write up in a lot more detail exactly how all the signal and specialer stack manipulation scenarios work in glibc.
On Sat, Feb 5, 2022 at 12:15 PM Edgecombe, Rick P <rick.p.edgecombe@intel.com> wrote: > > On Sat, 2022-02-05 at 05:29 -0800, H.J. Lu wrote: > > On Sat, Feb 5, 2022 at 5:27 AM David Laight <David.Laight@aculab.com> > > wrote: > > > > > > From: Edgecombe, Rick P > > > > Sent: 04 February 2022 01:08 > > > > Hi Thomas, > > > > > > > > Thanks for feedback on the plan. > > > > > > > > On Thu, 2022-02-03 at 22:07 +0100, Thomas Gleixner wrote: > > > > > > Until now, the enabling effort was trying to support both > > > > > > Shadow > > > > > > Stack and IBT. > > > > > > This history will focus on a few areas of the shadow stack > > > > > > development history > > > > > > that I thought stood out. > > > > > > > > > > > > Signals > > > > > > ------- > > > > > > Originally signals placed the location of the shadow > > > > > > stack > > > > > > restore > > > > > > token inside the saved state on the stack. This was > > > > > > problematic from a > > > > > > past ABI promises perspective. So the restore location > > > > > > was > > > > > > instead just > > > > > > assumed from the shadow stack pointer. This works > > > > > > because in > > > > > > normal > > > > > > allowed cases of calling sigreturn, the shadow stack > > > > > > pointer > > > > > > should be > > > > > > right at the restore token at that time. There is no > > > > > > alternate shadow > > > > > > stack support. If an alt shadow stack is added later > > > > > > we > > > > > > would > > > > > > need to > > > > > > > > > > So how is that going to work? altstack is not an esoteric > > > > > corner > > > > > case. > > > > > > > > My understanding is that the main usages for the signal stack > > > > were > > > > handling stack overflows and corruption. Since the shadow stack > > > > only > > > > contains return addresses rather than large stack allocations, > > > > and is > > > > not generally writable or pivotable, I thought there was a good > > > > possibility an alt shadow stack would not end up being especially > > > > useful. Does it seem like reasonable guesswork? > > > > > > The other 'problem' is that it is valid to longjump out of a signal > > > handler. > > > These days you have to use siglongjmp() not longjmp() but it is > > > still used. > > > > > > It is probably also valid to use siglongjmp() to jump from a nested > > > signal handler into the outer handler. > > > Given both signal handlers can have their own stack, there can be > > > three > > > stacks involved. > > So the scenario is? > > 1. Handle signal 1 > 2. sigsetjmp() > 3. signalstack() > 4. Handle signal 2 on alt stack > 5. siglongjmp() > > I'll check that it is covered by the tests, but I think it should work > in this series that has no alt shadow stack. I have only done a high > level overview of how the shadow stack stuff, that doesn't involve the > kernel, works in glibc. Sounds like I'll need to do a deeper dive. > > > > > > > I think the shadow stack pointer has to be in ucontext - which also > > > means the application can change it before returning from a signal. > > Yes we might need to change it to support alt shadow stacks. Can you > elaborate why you think it has to be in ucontext? I was thinking of > looking at three options for storing the ssp: > - Stored in the shadow stack like a token using WRUSS from the kernel. > - Stored on the kernel side using a hashmap that maps ucontext or > sigframe userspace address to ssp (this is of course similar to > storing in ucontext, except that the user can’t change the ssp). > - Stored writable in userspace in ucontext. > > But in this version, without alt shadow stacks, the shadow stack > pointer is not stored in ucontext. This causes the limitation that > userspace can only call sigreturn when it has returned back to a point > where there is a restore token on the shadow stack (which was placed > there by the kernel). This doesn’t mean it can’t switch to a different > shadow stack or handle a nested signal, but it limits the possibility > for calling sigreturn with a totally different sigframe (like CRIU and > SROP attacks do). It should hopefully be a helpful, protective > limitation for most apps and I'm hoping CRIU can be fixed without > removing it. > > I am not aware of other limitations to signals (besides normal shadow > stack enforcement), but I could be missing it. And people's skepticism > is making me want to go back over it with more scrutiny. > > > > In much the same way as all the segment registers can be changed > > > leading to all the nasty bugs when the final 'return to user' code > > > traps in kernel when loading invalid segment registers or executing > > > iret. > > I don't think this is as difficult to avoid because userspace ssp has > its own register that should not be accessed at that point, but I have > not given this aspect enough analysis. Thanks for bringing it up. > > > > > > > Hmmm... do shadow stacks mean that longjmp() has to be a system > > > call? > > > > No. setjmp/longjmp save and restore shadow stack pointer. > > > > It sounds like it would help to write up in a lot more detail exactly > how all the signal and specialer stack manipulation scenarios work in > glibc. > setjmp/longjmp work on the same sigjmp_buf. Shadow stack pointer is saved and restored, just like any other callee-saved registers. -- H.J.
On 2/5/22 12:15, Edgecombe, Rick P wrote: > On Sat, 2022-02-05 at 05:29 -0800, H.J. Lu wrote: >> On Sat, Feb 5, 2022 at 5:27 AM David Laight <David.Laight@aculab.com> >> wrote: >>> >>> From: Edgecombe, Rick P >>>> Sent: 04 February 2022 01:08 >>>> Hi Thomas, >>>> >>>> Thanks for feedback on the plan. >>>> >>>> On Thu, 2022-02-03 at 22:07 +0100, Thomas Gleixner wrote: >>>>>> Until now, the enabling effort was trying to support both >>>>>> Shadow >>>>>> Stack and IBT. >>>>>> This history will focus on a few areas of the shadow stack >>>>>> development history >>>>>> that I thought stood out. >>>>>> >>>>>> Signals >>>>>> ------- >>>>>> Originally signals placed the location of the shadow >>>>>> stack >>>>>> restore >>>>>> token inside the saved state on the stack. This was >>>>>> problematic from a >>>>>> past ABI promises perspective. So the restore location >>>>>> was >>>>>> instead just >>>>>> assumed from the shadow stack pointer. This works >>>>>> because in >>>>>> normal >>>>>> allowed cases of calling sigreturn, the shadow stack >>>>>> pointer >>>>>> should be >>>>>> right at the restore token at that time. There is no >>>>>> alternate shadow >>>>>> stack support. If an alt shadow stack is added later >>>>>> we >>>>>> would >>>>>> need to >>>>> >>>>> So how is that going to work? altstack is not an esoteric >>>>> corner >>>>> case. >>>> >>>> My understanding is that the main usages for the signal stack >>>> were >>>> handling stack overflows and corruption. Since the shadow stack >>>> only >>>> contains return addresses rather than large stack allocations, >>>> and is >>>> not generally writable or pivotable, I thought there was a good >>>> possibility an alt shadow stack would not end up being especially >>>> useful. Does it seem like reasonable guesswork? >>> >>> The other 'problem' is that it is valid to longjump out of a signal >>> handler. >>> These days you have to use siglongjmp() not longjmp() but it is >>> still used. >>> >>> It is probably also valid to use siglongjmp() to jump from a nested >>> signal handler into the outer handler. >>> Given both signal handlers can have their own stack, there can be >>> three >>> stacks involved. > > So the scenario is? > > 1. Handle signal 1 > 2. sigsetjmp() > 3. signalstack() > 4. Handle signal 2 on alt stack > 5. siglongjmp() > > I'll check that it is covered by the tests, but I think it should work > in this series that has no alt shadow stack. I have only done a high > level overview of how the shadow stack stuff, that doesn't involve the > kernel, works in glibc. Sounds like I'll need to do a deeper dive. > >>> >>> I think the shadow stack pointer has to be in ucontext - which also >>> means the application can change it before returning from a signal. > > Yes we might need to change it to support alt shadow stacks. Can you > elaborate why you think it has to be in ucontext? I was thinking of > looking at three options for storing the ssp: > - Stored in the shadow stack like a token using WRUSS from the kernel. > - Stored on the kernel side using a hashmap that maps ucontext or > sigframe userspace address to ssp (this is of course similar to > storing in ucontext, except that the user can’t change the ssp). > - Stored writable in userspace in ucontext. > > But in this version, without alt shadow stacks, the shadow stack > pointer is not stored in ucontext. This causes the limitation that > userspace can only call sigreturn when it has returned back to a point > where there is a restore token on the shadow stack (which was placed > there by the kernel). I'll reply here and maybe cover multiple things. User code already needs to rewind the regular stack to call sigreturn -- sigreturn find the signal frame based on ESP/RSP. So if you call it from the wrong place, you go boom. I think that the Linux SHSTK ABI should have the property that no amount of tampering with just the ucontext and associated structures can cause sigreturn to redirect to the wrong IP -- there should be something on the shadow stack that also gets verified in sigreturn. IIRC the series does this, but it's been a while. The post-sigreturn SSP should be entirely implied by pre-sigreturn SSP (or perhaps something on the shadow stack), so, in the absence of an altshadowstack feature, no ucontext changes should be needed. We can also return from a signal or from more than one signal at once, as above, using siglongjmp. It seems like this should Just Work (tm), at least in the absence of altshadowstack. So this leaves altshadowstack. If we want to allow userspace to handle a shstk overflow, I think we need altshadowstack. And I can easily imagine signal handling in a coroutine or user-threading evironment (Go? UMCG or whatever it's called?) wanting this. As noted, this obnoxious Andy person didn't like putting any shstk-related extensions in the FPU state. For better or for worse, altshadowstack is (I think) fundamentally a new API. No amount of ucontext magic is going to materialize an entire shadow stack out of nowhere when someone calls sigaltstack(). So the questions are: should we support altshadowstack from day one and, if so, what should it look like? If we want to be clever, we could attempt to make altstadowstack compatible with RSTORSSP. Signal delivery pushes a restore token to the old stack (hah! what if the old stack is full?) and pushes the RSTORSSP busy magic to the new stack, and sigreturn inverts it. Code that wants to return without sigreturn does it manually with RSTORSSP. (Assuming that I've understood the arcane RSTORSSP sequence right. Intel wins major points for documentation quality here.) Or we could invent our own scheme. In either case, I don't immediately see any reason that the ucontext needs to contain a shadow stack pointer. There's a delightful wart to consider, though. siglongjmp, at least as currently envisioned, can't return off an altshadowstack: the whole point of the INCSSP distance restrictions to to avoid incrementing right off the top of the current stack, but siglongjmp off an altshadowstack fundamentally switches stacks. So either siglongjmp off an altshadowstack needs to be illegal or it needs to work differently. (By incssp-ing to the top of the altshadowstack, then switching, then incssp-ing some more? How does it even find the top of the current altshadowstack?) And the plot thickens if one tries to siglongjmp off two nested altshadowstack-using signals in a single call. Fortunately, since altshadowstack is a new API, it's not entirely crazy to have different rules. So I don't have a complete or even almost complete design in mind, but I think we do need to make a conscious decision either to design this right or to skip it for v1. As for CRIU, I don't think anyone really expects a new kernel, running new userspace that takes advantage of features in the new kernel, to work with old CRIU. Upgrading to a SHSTK kernel should still allow using CRIU with non-SHSTK userspace, but I don't see how it's possible for CRIU to handle SHSTK without updates. We should certainly do our best to make CRIU's life easy, though. This doesn’t mean it can’t switch to a different > shadow stack or handle a nested signal, but it limits the possibility > for calling sigreturn with a totally different sigframe (like CRIU and > SROP attacks do). It should hopefully be a helpful, protective > limitation for most apps and I'm hoping CRIU can be fixed without > removing it. > > I am not aware of other limitations to signals (besides normal shadow > stack enforcement), but I could be missing it. And people's skepticism > is making me want to go back over it with more scrutiny. > >>> In much the same way as all the segment registers can be changed >>> leading to all the nasty bugs when the final 'return to user' code >>> traps in kernel when loading invalid segment registers or executing >>> iret. > > I don't think this is as difficult to avoid because userspace ssp has > its own register that should not be accessed at that point, but I have > not given this aspect enough analysis. Thanks for bringing it up. > >>> >>> Hmmm... do shadow stacks mean that longjmp() has to be a system >>> call? >> >> No. setjmp/longjmp save and restore shadow stack pointer. >> > > It sounds like it would help to write up in a lot more detail exactly > how all the signal and specialer stack manipulation scenarios work in > glibc. >
On Mon, Feb 07 2022 at 17:31, Andy Lutomirski wrote:
> So this leaves altshadowstack. If we want to allow userspace to handle
> a shstk overflow, I think we need altshadowstack. And I can easily
> imagine signal handling in a coroutine or user-threading evironment (Go?
> UMCG or whatever it's called?) wanting this. As noted, this obnoxious
> Andy person didn't like putting any shstk-related extensions in the FPU
> state.
>
> For better or for worse, altshadowstack is (I think) fundamentally a new
> API. No amount of ucontext magic is going to materialize an entire
> shadow stack out of nowhere when someone calls sigaltstack(). So the
> questions are: should we support altshadowstack from day one and, if so,
> what should it look like?
I think we should support them from day one.
> So I don't have a complete or even almost complete design in mind, but I
> think we do need to make a conscious decision either to design this
> right or to skip it for v1.
Skipping it might create a fundamental design fail situation as it might
require changes to the shadow stack signal handling in general which
becomes a nightmare once a non-altstack API is exposed.
> As for CRIU, I don't think anyone really expects a new kernel, running
> new userspace that takes advantage of features in the new kernel, to
> work with old CRIU.
Yes, CRIU needs updates, but what ensures that CRIU managed user space
does not use SHSTK if CRIU is not updated yet?
> Upgrading to a SHSTK kernel should still allow using CRIU with
> non-SHSTK userspace, but I don't see how it's possible for CRIU to
> handle SHSTK without updates. We should certainly do our best to make
> CRIU's life easy, though.
Handling CRIU with SHSTK enabled has to be part of the overall design
otherwise we'll either end up with horrible hacks or with a requirement
to change the V1 UAPI....
Thanks,
tglx
On Tue, Feb 8, 2022, at 1:31 AM, Thomas Gleixner wrote: > On Mon, Feb 07 2022 at 17:31, Andy Lutomirski wrote: >> So this leaves altshadowstack. If we want to allow userspace to handle >> a shstk overflow, I think we need altshadowstack. And I can easily >> imagine signal handling in a coroutine or user-threading evironment (Go? >> UMCG or whatever it's called?) wanting this. As noted, this obnoxious >> Andy person didn't like putting any shstk-related extensions in the FPU >> state. >> >> For better or for worse, altshadowstack is (I think) fundamentally a new >> API. No amount of ucontext magic is going to materialize an entire >> shadow stack out of nowhere when someone calls sigaltstack(). So the >> questions are: should we support altshadowstack from day one and, if so, >> what should it look like? > > I think we should support them from day one. > >> So I don't have a complete or even almost complete design in mind, but I >> think we do need to make a conscious decision either to design this >> right or to skip it for v1. > > Skipping it might create a fundamental design fail situation as it might > require changes to the shadow stack signal handling in general which > becomes a nightmare once a non-altstack API is exposed. It would also expose a range of kernels in which shstk is on but programs that want altshadowstack don't have it. That would be annoying. > >> As for CRIU, I don't think anyone really expects a new kernel, running >> new userspace that takes advantage of features in the new kernel, to >> work with old CRIU. > > Yes, CRIU needs updates, but what ensures that CRIU managed user space > does not use SHSTK if CRIU is not updated yet? In some sense this is like any other feature. If a program uses timerfd but CRIU doesn't support timerfd, then it won't work. SHSTK is a bit unique because it's likely that all programs on a system will start using it all at once.
From: Edgecombe, Rick P > Sent: 05 February 2022 20:15 > > On Sat, 2022-02-05 at 05:29 -0800, H.J. Lu wrote: > > On Sat, Feb 5, 2022 at 5:27 AM David Laight <David.Laight@aculab.com> > > wrote: > > > > > > From: Edgecombe, Rick P > > > > Sent: 04 February 2022 01:08 > > > > Hi Thomas, > > > > > > > > Thanks for feedback on the plan. > > > > > > > > On Thu, 2022-02-03 at 22:07 +0100, Thomas Gleixner wrote: > > > > > > Until now, the enabling effort was trying to support both > > > > > > Shadow > > > > > > Stack and IBT. > > > > > > This history will focus on a few areas of the shadow stack > > > > > > development history > > > > > > that I thought stood out. > > > > > > > > > > > > Signals > > > > > > ------- > > > > > > Originally signals placed the location of the shadow > > > > > > stack > > > > > > restore > > > > > > token inside the saved state on the stack. This was > > > > > > problematic from a > > > > > > past ABI promises perspective. So the restore location > > > > > > was > > > > > > instead just > > > > > > assumed from the shadow stack pointer. This works > > > > > > because in > > > > > > normal > > > > > > allowed cases of calling sigreturn, the shadow stack > > > > > > pointer > > > > > > should be > > > > > > right at the restore token at that time. There is no > > > > > > alternate shadow > > > > > > stack support. If an alt shadow stack is added later > > > > > > we > > > > > > would > > > > > > need to > > > > > > > > > > So how is that going to work? altstack is not an esoteric > > > > > corner > > > > > case. > > > > > > > > My understanding is that the main usages for the signal stack > > > > were > > > > handling stack overflows and corruption. Since the shadow stack > > > > only > > > > contains return addresses rather than large stack allocations, > > > > and is > > > > not generally writable or pivotable, I thought there was a good > > > > possibility an alt shadow stack would not end up being especially > > > > useful. Does it seem like reasonable guesswork? > > > > > > The other 'problem' is that it is valid to longjump out of a signal > > > handler. > > > These days you have to use siglongjmp() not longjmp() but it is > > > still used. > > > > > > It is probably also valid to use siglongjmp() to jump from a nested > > > signal handler into the outer handler. > > > Given both signal handlers can have their own stack, there can be > > > three > > > stacks involved. > > So the scenario is? > > 1. Handle signal 1 > 2. sigsetjmp() > 3. signalstack() > 4. Handle signal 2 on alt stack > 5. siglongjmp() > > I'll check that it is covered by the tests, but I think it should work > in this series that has no alt shadow stack. I have only done a high > level overview of how the shadow stack stuff, that doesn't involve the > kernel, works in glibc. Sounds like I'll need to do a deeper dive. The posix/xopen definition for setjmp/longjmp doesn't require such longjmp requests to work. Although they still have to do something that doesn't break badly. Aborting the process is probably fine! > > > I think the shadow stack pointer has to be in ucontext - which also > > > means the application can change it before returning from a signal. > > Yes we might need to change it to support alt shadow stacks. Can you > elaborate why you think it has to be in ucontext? I was thinking of > looking at three options for storing the ssp: > - Stored in the shadow stack like a token using WRUSS from the kernel. > - Stored on the kernel side using a hashmap that maps ucontext or > sigframe userspace address to ssp (this is of course similar to > storing in ucontext, except that the user can’t change the ssp). > - Stored writable in userspace in ucontext. > > But in this version, without alt shadow stacks, the shadow stack > pointer is not stored in ucontext. This causes the limitation that > userspace can only call sigreturn when it has returned back to a point > where there is a restore token on the shadow stack (which was placed > there by the kernel). This doesn’t mean it can’t switch to a different > shadow stack or handle a nested signal, but it limits the possibility > for calling sigreturn with a totally different sigframe (like CRIU and > SROP attacks do). It should hopefully be a helpful, protective > limitation for most apps and I'm hoping CRIU can be fixed without > removing it. > > I am not aware of other limitations to signals (besides normal shadow > stack enforcement), but I could be missing it. And people's skepticism > is making me want to go back over it with more scrutiny. > > > > In much the same way as all the segment registers can be changed > > > leading to all the nasty bugs when the final 'return to user' code > > > traps in kernel when loading invalid segment registers or executing > > > iret. > > I don't think this is as difficult to avoid because userspace ssp has > its own register that should not be accessed at that point, but I have > not given this aspect enough analysis. Thanks for bringing it up. So the user ssp isn't saved (or restored) by the trap entry/exit. So it needs to be saved by the context switch code? Much like the user segment registers? So you are likely to get the same problems if restoring it can fault in kernel (eg for a non-canonical address). > > > Hmmm... do shadow stacks mean that longjmp() has to be a system > > > call? > > > > No. setjmp/longjmp save and restore shadow stack pointer. Ok, I was thinking that direct access to the user ssp would be a privileged operation. If it can be written you don't really have to worry about what code is trying to do - it can actually do what it likes. It just catches unintentional operations (like buffer overflows). Was there any 'spare' space in struct jmpbuf ? Otherwise you can only enable shadow stacks if everything has been recompiled - including any shared libraries the might be dlopen()ed. (or does the compiler invent an alloca() call somehow for a size that comes back from glibc?) I've never really considered how setjmp/longjmp handle callee saved register variables (apart from it being hard). The original pdp11 implementation probably only needed to save r6 and r7. What does happen to all the 'extended state' that XSAVE handles? IIRC all the AVX registers are caller saved (so should probably be zerod), but some of the SSE ones are callee saved, and one or two of the fpu flags are sticky and annoying enough the save/restore at the best of times. > It sounds like it would help to write up in a lot more detail exactly > how all the signal and specialer stack manipulation scenarios work in > glibc. Some cross references might have made people notice that the ucontext extensions for AVX512 (if not earlier ones) broke the minimal/default signal stack size. David - Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1PT, UK Registration No: 1397386 (Wales)
On Sun, Feb 6, 2022 at 5:42 AM David Laight <David.Laight@aculab.com> wrote:
>
> From: Edgecombe, Rick P
> > Sent: 05 February 2022 20:15
> >
> > On Sat, 2022-02-05 at 05:29 -0800, H.J. Lu wrote:
> > > On Sat, Feb 5, 2022 at 5:27 AM David Laight <David.Laight@aculab.com>
> > > wrote:
> > > >
> > > > From: Edgecombe, Rick P
> > > > > Sent: 04 February 2022 01:08
> > > > > Hi Thomas,
> > > > >
> > > > > Thanks for feedback on the plan.
> > > > >
> > > > > On Thu, 2022-02-03 at 22:07 +0100, Thomas Gleixner wrote:
> > > > > > > Until now, the enabling effort was trying to support both
> > > > > > > Shadow
> > > > > > > Stack and IBT.
> > > > > > > This history will focus on a few areas of the shadow stack
> > > > > > > development history
> > > > > > > that I thought stood out.
> > > > > > >
> > > > > > > Signals
> > > > > > > -------
> > > > > > > Originally signals placed the location of the shadow
> > > > > > > stack
> > > > > > > restore
> > > > > > > token inside the saved state on the stack. This was
> > > > > > > problematic from a
> > > > > > > past ABI promises perspective. So the restore location
> > > > > > > was
> > > > > > > instead just
> > > > > > > assumed from the shadow stack pointer. This works
> > > > > > > because in
> > > > > > > normal
> > > > > > > allowed cases of calling sigreturn, the shadow stack
> > > > > > > pointer
> > > > > > > should be
> > > > > > > right at the restore token at that time. There is no
> > > > > > > alternate shadow
> > > > > > > stack support. If an alt shadow stack is added later
> > > > > > > we
> > > > > > > would
> > > > > > > need to
> > > > > >
> > > > > > So how is that going to work? altstack is not an esoteric
> > > > > > corner
> > > > > > case.
> > > > >
> > > > > My understanding is that the main usages for the signal stack
> > > > > were
> > > > > handling stack overflows and corruption. Since the shadow stack
> > > > > only
> > > > > contains return addresses rather than large stack allocations,
> > > > > and is
> > > > > not generally writable or pivotable, I thought there was a good
> > > > > possibility an alt shadow stack would not end up being especially
> > > > > useful. Does it seem like reasonable guesswork?
> > > >
> > > > The other 'problem' is that it is valid to longjump out of a signal
> > > > handler.
> > > > These days you have to use siglongjmp() not longjmp() but it is
> > > > still used.
> > > >
> > > > It is probably also valid to use siglongjmp() to jump from a nested
> > > > signal handler into the outer handler.
> > > > Given both signal handlers can have their own stack, there can be
> > > > three
> > > > stacks involved.
> >
> > So the scenario is?
> >
> > 1. Handle signal 1
> > 2. sigsetjmp()
> > 3. signalstack()
> > 4. Handle signal 2 on alt stack
> > 5. siglongjmp()
> >
> > I'll check that it is covered by the tests, but I think it should work
> > in this series that has no alt shadow stack. I have only done a high
> > level overview of how the shadow stack stuff, that doesn't involve the
> > kernel, works in glibc. Sounds like I'll need to do a deeper dive.
>
> The posix/xopen definition for setjmp/longjmp doesn't require such
> longjmp requests to work.
>
> Although they still have to do something that doesn't break badly.
> Aborting the process is probably fine!
>
> > > > I think the shadow stack pointer has to be in ucontext - which also
> > > > means the application can change it before returning from a signal.
> >
> > Yes we might need to change it to support alt shadow stacks. Can you
> > elaborate why you think it has to be in ucontext? I was thinking of
> > looking at three options for storing the ssp:
> > - Stored in the shadow stack like a token using WRUSS from the kernel.
> > - Stored on the kernel side using a hashmap that maps ucontext or
> > sigframe userspace address to ssp (this is of course similar to
> > storing in ucontext, except that the user can’t change the ssp).
> > - Stored writable in userspace in ucontext.
> >
> > But in this version, without alt shadow stacks, the shadow stack
> > pointer is not stored in ucontext. This causes the limitation that
> > userspace can only call sigreturn when it has returned back to a point
> > where there is a restore token on the shadow stack (which was placed
> > there by the kernel). This doesn’t mean it can’t switch to a different
> > shadow stack or handle a nested signal, but it limits the possibility
> > for calling sigreturn with a totally different sigframe (like CRIU and
> > SROP attacks do). It should hopefully be a helpful, protective
> > limitation for most apps and I'm hoping CRIU can be fixed without
> > removing it.
> >
> > I am not aware of other limitations to signals (besides normal shadow
> > stack enforcement), but I could be missing it. And people's skepticism
> > is making me want to go back over it with more scrutiny.
> >
> > > > In much the same way as all the segment registers can be changed
> > > > leading to all the nasty bugs when the final 'return to user' code
> > > > traps in kernel when loading invalid segment registers or executing
> > > > iret.
> >
> > I don't think this is as difficult to avoid because userspace ssp has
> > its own register that should not be accessed at that point, but I have
> > not given this aspect enough analysis. Thanks for bringing it up.
>
> So the user ssp isn't saved (or restored) by the trap entry/exit.
> So it needs to be saved by the context switch code?
> Much like the user segment registers?
> So you are likely to get the same problems if restoring it can fault
> in kernel (eg for a non-canonical address).
>
> > > > Hmmm... do shadow stacks mean that longjmp() has to be a system
> > > > call?
> > >
> > > No. setjmp/longjmp save and restore shadow stack pointer.
>
> Ok, I was thinking that direct access to the user ssp would be
> a privileged operation.
User space can only pop shadow stack. longjmp does
#ifdef SHADOW_STACK_POINTER_OFFSET
# if IS_IN (libc) && defined SHARED && defined FEATURE_1_OFFSET
/* Check if Shadow Stack is enabled. */
testl $X86_FEATURE_1_SHSTK, %fs:FEATURE_1_OFFSET
jz L(skip_ssp)
# else
xorl %eax, %eax
# endif
/* Check and adjust the Shadow-Stack-Pointer. */
/* Get the current ssp. */
rdsspq %rax
/* And compare it with the saved ssp value. */
subq SHADOW_STACK_POINTER_OFFSET(%rdi), %rax
je L(skip_ssp)
/* Count the number of frames to adjust and adjust it
with incssp instruction. The instruction can adjust
the ssp by [0..255] value only thus use a loop if
the number of frames is bigger than 255. */
negq %rax
shrq $3, %rax
/* NB: We saved Shadow-Stack-Pointer of setjmp. Since we are
restoring Shadow-Stack-Pointer of setjmp's caller, we
need to unwind shadow stack by one more frame. */
addq $1, %rax
movl $255, %ebx
L(loop):
cmpq %rbx, %rax
cmovb %rax, %rbx
incsspq %rbx
subq %rbx, %rax
ja L(loop)
L(skip_ssp):
#endif
> If it can be written you don't really have to worry about what code
> is trying to do - it can actually do what it likes.
> It just catches unintentional operations (like buffer overflows).
>
> Was there any 'spare' space in struct jmpbuf ?
By pure luck, we have ONE spare space in sigjmp_buf.
> Otherwise you can only enable shadow stacks if everything has been
> recompiled - including any shared libraries the might be dlopen()ed.
> (or does the compiler invent an alloca() call somehow for a
> size that comes back from glibc?)
>
> I've never really considered how setjmp/longjmp handle callee saved
> register variables (apart from it being hard).
> The original pdp11 implementation probably only needed to save r6 and r7.
>
> What does happen to all the 'extended state' that XSAVE handles?
> IIRC all the AVX registers are caller saved (so should probably
> be zerod), but some of the SSE ones are callee saved, and one or
> two of the fpu flags are sticky and annoying enough the save/restore
> at the best of times.
>
> > It sounds like it would help to write up in a lot more detail exactly
> > how all the signal and specialer stack manipulation scenarios work in
> > glibc.
>
> Some cross references might have made people notice that the ucontext
> extensions for AVX512 (if not earlier ones) broke the minimal/default
> signal stack size.
>
> David
>
--
H.J.
* David Laight:
> Was there any 'spare' space in struct jmpbuf ?
jmp_buf in glibc looks like this:
(gdb) ptype/o jmp_buf
type = struct __jmp_buf_tag {
/* 0 | 64 */ __jmp_buf __jmpbuf;
/* 64 | 4 */ int __mask_was_saved;
/* XXX 4-byte hole */
/* 72 | 128 */ __sigset_t __saved_mask;
/* total size (bytes): 200 */
} [1]
(gdb) ptype/o __jmp_buf
type = long [8]
The glibc ABI reserves space for 1024 signals, something that Linux is
never going to implement. We can use that space to store a few extra
registers in __save_mask. There is a complication because the
pthread_cancel unwinding allocates only space for the __jmpbuf member.
Fortunately, we do not need to unwind the shadow stack for thread
cancellation, so we don't need that extra space in that case.
Thanks,
Florian
On Sun, 2022-02-06 at 13:42 +0000, David Laight wrote: > > I don't think this is as difficult to avoid because userspace ssp > > has > > its own register that should not be accessed at that point, but I > > have > > not given this aspect enough analysis. Thanks for bringing it up. > > So the user ssp isn't saved (or restored) by the trap entry/exit. > So it needs to be saved by the context switch code? > Much like the user segment registers? > So you are likely to get the same problems if restoring it can fault > in kernel (eg for a non-canonical address). PL3_SSP is lazily saved and restored by the FPU supervisor xsave code, which has its buffer in kernel memory. For the most part it is userspace instructions that use this register and they can only modify it in limited ways. It does look like IRET can cause a #CP if the PL3 SSP is not aligned, but only after RIP and CPL are set back to userspace. I'm not confident enough interpreting the specs to assert the specific behavior and will follow up internally to clarify.
© 2016 - 2026 Red Hat, Inc.